General

  • Target

    ef3767ef13fb990913bd5c1a6b3e096f_JaffaCakes118

  • Size

    1.1MB

  • Sample

    240412-fzpzxsfe92

  • MD5

    ef3767ef13fb990913bd5c1a6b3e096f

  • SHA1

    9b06a00d3e5370a43e9e123235850263857f0270

  • SHA256

    8f8da0486aaad7e72a762f3c66f64a960a6f6dacbc9f21fb3567a8c0b5be48de

  • SHA512

    b2c5c8743ed94b03441404552fcf31d403344dd2546c1b72011b2053dc47b993b98d25c1635f73dfa199fc4fb180b3a3ff8a00cebeba27af1948aa058d1a167c

  • SSDEEP

    12288:wIdgdMqoYBE5gTG2DQy2KibdJBA7gsh9NXsVWgCqGum80deaARreevyq4K6mf:UmdYmCq2DsnZJBAxN8JCqG380KhvVsQ

Malware Config

Extracted

Credentials

  • Protocol:
    smtp
  • Host:
    smtp.yandex.com
  • Port:
    587
  • Username:
    [email protected]
  • Password:
    ayocj2018

Targets

    • Target

      ef3767ef13fb990913bd5c1a6b3e096f_JaffaCakes118

    • Size

      1.1MB

    • MD5

      ef3767ef13fb990913bd5c1a6b3e096f

    • SHA1

      9b06a00d3e5370a43e9e123235850263857f0270

    • SHA256

      8f8da0486aaad7e72a762f3c66f64a960a6f6dacbc9f21fb3567a8c0b5be48de

    • SHA512

      b2c5c8743ed94b03441404552fcf31d403344dd2546c1b72011b2053dc47b993b98d25c1635f73dfa199fc4fb180b3a3ff8a00cebeba27af1948aa058d1a167c

    • SSDEEP

      12288:wIdgdMqoYBE5gTG2DQy2KibdJBA7gsh9NXsVWgCqGum80deaARreevyq4K6mf:UmdYmCq2DsnZJBAxN8JCqG380KhvVsQ

    • Detect ZGRat V1

    • HawkEye

      HawkEye is a malware kit that has seen continuous development since at least 2013.

    • ZGRat

      ZGRat is remote access trojan written in C#.

    • NirSoft MailPassView

      Password recovery tool for various email clients

    • NirSoft WebBrowserPassView

      Password recovery tool for various web browsers

    • Nirsoft

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Uses the VBS compiler for execution

    • Accesses Microsoft Outlook accounts

    • Adds Run key to start application

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks